ERM, similar to most business processes, is not a “one-size-fits-all” solution. It has to be customized and tailored for each firm. As Mark Olson of the Federal Reserve notes, “An effective enterprise-wide compliance-risk management program is flexible to respond to change and it is tailored to an organization’s corporate strategies, business activities and external environment.” (April 10, 2006)1

Companies that try to implement an out of the box methodology will likely fail. ERM methodologies and taxonomies must be adapted to a company’s legal, regulatory, economic and competitive environment, all of which can vary dramatically by industry and must, of course, be tailored to the company’s internal processes and culture. Further, the risk framework must be able to adapt to change over time to avoid losing competitive advantage.

I’ll be the last one to tell you that a strong central risk management function is a bad thing. Unfortunately, many organizations make the mistake of investing only in a centralized function because it’s too difficult to federate, and push risk management to lower levels of responsibility in the organization. It’s a classic consistency vs. quality of information problem.

Accurate information lies at the business line level – a manufacturing company’s CRO may not know that you’re throwing away millions of dollars a year due to a lack of quality suppliers, but the supplier quality manager certainly does. The challenge is that it’s traditionally very expensive to consolidate this local lower level information. Organizations attempt to survey and assess process owners, but the information comes back in various formats, of various levels of quality, and it leads to information silos – it’s impossible to get an apples to apples comparison. Out of frustration, many of these efforts fail, leading to a strong centralized risk function.

Organizations must augment their centralized risk management efforts with localized, distributed data, and the only to reliably do that is to invest in automated technology solutions.

Spreadsheet gurus have carved out a significant role in managing financial and operational data in many companies. The problem with this approach is that it’s a) manually intensive and b) highly reliant on the individuals that manage and operate these spreadsheets. Further, the processes for linking, updating and archiving data in spreadsheets is mostly ad hoc, leading to significant risks associated with this data.

Freddie Mac, for instance, in their 2005 annual report noted that their reliance on “end user computing systems” (read: Excel) posed a significant risk to their ability to report accurately on their financial data. More recently, other financial institutions have noted that the Fed and OCC are shining a light on this undocumented spreadsheet problem, looking for more transparency to the data in spreadsheets and file shares.

The reality is that using spreadsheets and file shares for risk and compliance data is a dead end. While companies may be able to get through one cycle of review with internal auditors, a regulator and/or rating agency, the long term implications of adopting a spreadsheet-based architecture for risk and compliance data are extremely problematic. Not only will risk managers have trouble getting visibility into the data because of poor reporting capabilities, but they will also rightly question the accuracy of the data itself. This skepticism is precisely why so many companies are moving off spreadsheets to a more programmatic approach to managing risk and compliance initiatives.

A traditional model to planning the audit process typically examines 10-20 risk factors for each element of the audit universe, and buckets each auditable entity into a risk categorization which will drive the frequency with which it is audited. While this approach may have worked well in the past, modern audit departments are being asked to do more with less. The known risk universe gets bigger by the day, and investing in a massive risk evaluation for each entity may not be the best use of resources. Is it worth tying up valuable stakeholders in management and on the audit committee to assess the risk inherent in the coffee procurement process for a remote sales office?

Progressive organizations are turning towards a more agile, top down approach to risk assessment to drive audit scheduling. This will lead to more efficient resource allocations, ensuring auditors are focused on the truly risk areas.

Attrition.org maintains a list of public, high profile data breaches. The list is staggeringly long, and goes back to the year 2000. TJX, while a high profile data breach and perhaps one of the biggest stories of 2007, is only one of the many that were publicly reported. And, companies have a vested interest in not making these events public. Add to that the breaches that happen every day that go undiscovered and it becomes clear that this staggeringly long list is just the tip of the iceberg.

But why is this list growing? Preventative technology and knowledge gets better and better every day. Shouldn’t we be getting safer? Information risk management is sometimes a thankless job. As an old mentor of mine used to say, a good day is a day where nothing happens. The villains get better and better every day, however, and the gap remains. Your organization is susceptible, and it’s critical you do everything you can to keep the gap as narrow as possible.

Tags

A tag is a keyword you assign to make a blog or blog content easier to find. Click a tag to find content that has been assigned that keyword. Click another tag to refine the search further. Click Find a tag to search for a tag that is not displayed in the collection.